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IN THE CLAIMS 

1. (Currently Amended) A method for controlling access to a computing system resource, 
being accessed through a symbolic link file, with an externally stored resource 

comprising the steps of: 

determining a system resource named in the symbolic link through which the an 

access attempt is made; 

searching a protected objects database for entries protecting said system resource 

and generating a list of said entries; and 

generating an authorization decision for the access attempt based on security 
policies'hat govern all entries in the protected objects database that protect f*##*mg the 
system resource. 

2. (Original) The method as described in claim 1 wherein said control method grants 
access if said search does not find in the protected objects database, the system resource 
named in the symbolic link through which the access attempt is made. 

3. (Original) The method as described in claim 1 wherein said authorization decision step 

comprises the steps of: 

retrieving a current entry from said generated database list; 

calling an access decision component of the externally stored resource to obtain 
an access decision for the access attempt based on the security policy that governs the 
current entry in the generated database list; 

determining whether the access decision component granted access; 

if the decision component granted access, determining whether more entries are in 

this database list; and 

updating a current entry in said database list when more entries are in the list and 

returning to said current entry retrieving step. 
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4. (Original) The method as described in claim 3 further comprising the step of denying 

the access attempt when the decision component denies access based on the security 
policy for the current database entry. 

5. (Original) The method as described in claim 3 further comprising the step of allowing 
the access attempt if no more entries are in the database list. 

6. (Original) The method as described in claim 1 wherein said searching step comprises 
the steps of: 

retrieving an entry from the protected objects database; 

comparing the name of the database entry to the name of the system resource that 

is an object of the access attempt; 

when there is a match between the database entry and the system resource name 
that is the object of the access attempt, determining whether the resource is named in a 
symbolic link that is listed in the protected object database; and 

generating a list containing the exact found entry, when the entry is not named in 
a symbolic link listed in the protected object database. 

7. (Original) The method as described in claim 1 wherein said searching step comprises 
the steps of: 

retrieving an entry from the protected objects database; 

comparing the name of the retrieved database entry to the name of the system 
resource that is the object of the access attempt; 

when there'is a match between the database entry and the name of the resource 
that is the object of the access attempt, determining whether the database entry is named 
in a symbolic link that is listed in the protected object database; 

adding said entry to a list containing found entries, when the entry is named in a 
symbolic link listed in the protected object database; 

determining whether there are more entries in the protected object database; and 

updating a current database entry in said database when more entries are in the 
database and returning to said current entry retrieving step. 
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8. (Original) The method as described in claim 1 wherein said searching step comprises 
the steps of: 

retrieving an entry from the protected objects database; 

comparing the name of the retrieved database entry to the name of the system 
resource that is the object of the access attempt; 

when there is a match between the database entry and the name of the resource 
that is the object of the access attempt, determining whether the database is named in a 
symbolic link that is listed in the protected object database; 

adding said entry to a list containing found entries, when the entry is named in a 
symbolic link listed in the protected object database; 

determining whether there are more entries in the protected object database; and 

returning the list containing found entries, when there are no mOTe entries. 

9. (Original) The method as described in claim 1 further comprising before said retrieving 
step the step of generating a protected objects database. 

10. (Original) The method as described in claim 9 comprising the steps of: 

retrieving file attributes for a system resource file; 

determining from said retrieved file attributes whether said resource file is a 
symbolic link file; 

when resource file is a symbolic link, retrieving the name and attributes of the 
system resource named in the symbolic link; and 

adding the symbolic link and system resource named in the symbolic link to the 
protected objects database. 
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1 1 . (Original) The method as described in claim 9 comprising the steps of: 

retrieving file attributes for a system resource file; 

determining from said retrieved file attributes whether said resource file is a 

symbolic link file; and 

terminating said method and processing the system resource file access attempt 

through other methods. 

12. (Original) The method as described in claim 10 wherein said adding step comprises 
the steps of: 

setting the system resource named in the symbolic Hnk as the child of the 
symbolic link; 

setting the symbolic link naming the resources as the parent of said resource; 
adding the symbolic link as an entry in the protected object database; and 

adding the named resource as an entry in the protected objects database. 

13. (Original) A method for controlling access to a computing system device being 
accessed through symbolic link, said access control being implemented through an 
externally stored resource and comprising the steps of: 

monitoring the computing system for activities related to creating and accessing 
symbolic links that link to system resources; 

restricting the creation of symbolic link files based on the rules defined in the 
externally stored resource; and 

restricting accesses to system resources that are linked to and accessed by a 

symbolic link. 
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14. (Original) A computer program product in a computer readable medium lor 

controlling access to a computing system resource, being accessed through a symbolic 
link file, with an externally stored resource comprising the steps of: 

instructions for determining a system resource named in the symbolic link 
through which the access attempt is made; 

instructions for searching a protected objects database for entries protecting said 
system resources and generating a list of said entries; and 

instructions for generating an authorization decision for the access attempt based 
on the security policies that govern all entries in the database protecting the system 
resource. 

15. (Original) The computer program product as described in claim 14 wherein said 
authorization decision instruction comprises: 

instructions for retrieving the current entry from said generated database list; 

instructions for calling an access decision component of the externally stored 
resource to obtain an access decision for the access attempt based on the security policy 
that governs the current entry in the generated database list; 

instructions for determining whether the access decision component granted 

access; 

if the decision component granted access, instructions for determining whether 
more entries are in this database list; 

instructions for updating a current entry in said database list when more entries 
are in the list and returning to said current entry retrieving step. 

16. (Original) The computer program product as described in claim 15 further comprising 
instructions for denying the access attempt when the decision component denies access 
based on the security policy for the current database entry. 

17. (Original) The computer program product as described in claim 15 further comprising 
instructions for allowing the access attempt if no more entries in the database list 
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18. (Original) The computer program product as described in claim 14 wherein said 
searching instructions comprise: 

instructions for retrieving an entry from the protected objects database; 

instructions for comparing the name of the database entry to the name of a system 
resource that is the object of the access attempt; 

instructions for when there is a match between the database entry and the name of 
the resource that is the object of the access attempt, determining whether the system 
resource is named in a symbolic link that is listed in the protected object database; and 

instructions for generating a list containing the exact found entry, when the entry 
is not named in a symbolic link listed in the protected object database. 

19. (Original) The computer program product as described in claim 14 wherein said 
searching instructions comprise: 

instructions for retrieving an entry from the protected objects database; 

instructions for comparing the name of the database entry to the name of a system 
resource that is the object of the access attempt; 

when there is a match between the database entry and the name of the resource 
that is the object of the access attempt, instructions for determining whether the database 
entry is named in a symbolic link that is listed in the protected object database; 

instructions for adding said entry to a list containing found entries, when the entry 
is not named in a symbolic link listed in the protected object database; 

instructions for determining whether there are more entries in the protected object 
database; and 

instructions for updating a current database entry in said database when more 
entries are in the database and returning to said current entry retrieving step. 
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20. The computer program product as described in claim 14 wherein said searching 

instructions comprise: 

instructions for retrieving an entry from a protected objects database; 

instructions for comparing the name of the retrieved database entry to the name of 
a system resource that is the object of the access attempt; 

when there is a match between the database entry and the name of the resource 
that is the object of the access attempt, instructions for determining whether the database 
is named in a symbolic link that is listed in the protected object database; 

instructions for adding said entry to a list containing found entries, when the entry 
is not named in a symbolic link listed in the protected object database; 

instructions for determining whether there are more entries in the protected object 

database; and 

instructions for returning the list containing found entries. 

21. (Original) The method as described in claim 20 further comprising before said 
retrieving instructions the instructions for generating a protected objects database. 

22. (Currently amended) A computer connectable to a distributed computing system, 
which included symbolic links pointing to system resources and comprising: 

a processor; a native operating system; application programs; 

an externally stored authorization program overlaying said native operating 
system and augmenting the standard security controls of said native operating system; 

a protected objects database within said external authorization program containing 
as entries protected symbolic link files and system resources pointed to by these protected 
symbolic Jinks link files such that the protection of the symbolic link is attached to said 
system resources; 

a decision component with said authorization program for controlling access to 
system resources being accessed through symbolic links; and 

a decision component with said authorization program for controlling the creation 
of symbolic links through which system resources are accessed. 
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23. (Currently amended) A method for restricting the creation of a protected symbolic 
link that names a system resource comprising the steps of: 

determining a system resource named in fee a proposed symbolic link; 

searching a protected objects database for entries protecting said system resource 
named in the proposed symbolic link; 

generating a list of file entries that contain the system resource named in a 

proposed symbolic link; and 

generating an authorization decision for a creation attempt based on the security 
policy that governs each entry in the protected obiects_database. 

» 

generating an authorization decision for the access attempt based on security 
policies that govern all entries in the protected objects database that protect pjeteetiag the 
system resource. 

24. (Original) The method as described in claim 23 wherein said restriction method 
allows a creation attempt if said search does not find in a protected objects database, the 
resource named in the proposed symbolic link. 
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25. (Original) The method as described in claim 23 wherein said authorization decision 
step comprises the steps of: 

retrieving a current entry from said generated database list; 

calling a creation decision component of the externally stored resource to obtain a 
decision for the symbolic link creation attempt based on the security policy that governs 
the current entry in the generated database list; 

determining whether the creation decision component allows creation of a 
symbolic link; 

if the decision component allowed creation, 

determining whether more entries are in this database list; 

updating a current entry in said database list when more entries are in the list and 
• returning to said current entry retrieving step. 

26. (Original) The method as described in claim 25 further comprising the step of 
denying the creation attempt when the decision component denies the creation attempt 
based on the security policies that govern all entries in the database protecting the system 
resource. 

27. (Original) The method as described in claim 25 further comprising the step of 
allowing the symbolic link creation attempt if no more entries in the database list. 

28. (Original) The method as described in claim 23 further comprising before said 
retrieving step the step of generating a protected objects database. 
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